My two part questions here, without speculating on what is actually done with that data (unless you have hard information):

What is the extent of risk here? What is the worst impact, and what does this mean? Basically I'm looking for a threat model / risk profile on this data.

(Assuming the risk is high enough... ) How can one go about protecting themselves (short of dropping the iPhone altogether)? e.g. protecting that file, preventing the logging, deleting it, setting it to not send, etc.

Note that privacy exposures of location tracking information for other phones is also on-topic here.

@nealmcb, I dont think so, but I may have misread. In any event, you're correct that cell tower triangulation is a whole set of issues by itself
–
AviD♦Apr 26 '11 at 20:57

"Unclear" was referring to the massive amounts of posts out there claiming that right now, it is admittedly hard to sift through what is FUD and what is not. In any event there is at least suggestion of evidence :)
–
AviD♦Apr 26 '11 at 20:59

Apple has released a statement, but it's full of lies -- apple.com/pr/library/2011/04/27location_qa.html -- as you can see, they are changing the location components of the iOS software in order to remediate the fact that they got caught tracking people
–
atdreApr 27 '11 at 16:24

There are definitely some good answers here - but I'm going to leave it open for a bit more, to see if it draws any additional perspectives.
–
AviD♦Apr 28 '11 at 5:07

8 Answers
8

The most obvious and widespread security issue is that anyone with access to a machine that backs up the iPhone can look at where the phone has been. This can be a plus from the perspective of an iPhone owner who wants to track their children, or a minus from the perspective of a cheating lover.

It is also obviously a way for law enforcement to get loads of data on where people have been, hopefully only after appropriate approvals. Or alternately, for them to track activists, as Thomas points out.

I'm sure some iPhones controlled by enterprises will be used to mine information about their employees, and that may or not be legal, depending on circumstances. And of course the use or suspected use of data under those circumstances can also be used to embarrass an organization.

I wonder if bot herders will be looking for this information on the computers which they have compromised, and what they might think to do with it. A very clever terrorist might look for people who regularly seem to have access to interesting places, and find a way to plant some sort of dangerous payload on such people.

Finally, root access to the iPhone itself, which might happen remotely, could get access to not only current location info (which the attacker would presumably already have), but also to prior locations.

The researchers note one simple and helpful countermeasure: encrypt your backups through iTunes (click on your device within iTunes and then check "Encrypt iPhone Backup" under the "Options" area). Another would be to write a script to systematically delete the files as they are backed up, or to configure backups so they don't back that file up, or to just turn them off....

Update 2: Apple just released a statement saying that this is cached data crowdsourced by other iPhones, not location data for the individual user, and they will be changing how much is stored, and where, and stop backing it up: Apple - Press Info - Apple Q&A on Location Data

Encryption and elimination of the backup data is perhaps the first worthwhile countermeasure I have seen proposed. Unfortunately, this does little (nothing, really) to secure the data that is resident on the phone itself.
–
IsziApr 27 '11 at 3:10

Typically, the iPhone coordinates are personal information, thus most of the directives for data protection regulations protect it. This is not a vulnerability, this is an information disclosure of personal information that are expected to be confidential and subject to data owner consent---> this is a privacy violation. Still the risk is not to be assessed with a C.Vulnerability.S.S. rating that shows Confidentiality Integrity and Availability perspective but needs a different scale for privacy violations.

Imagine wikileaks publish those data online! Imagine how many wife/husband cheating on her/his partner would be endangered ;) how many delivery personal would be found in wrong places... These data are personal and have personal type of risk that for some would be nothing and for others would be a lot. Just for example, if you can monitor's the politician's movements... You know everyone has an iPhone from those politicians ;)

How can you protect yourself? I don't know. Interesting enough, I took some photos with an iPhone 3G and when I synchronized these images with my iPhone 4, for every photos, the iPhone was exactly telling me where i was. So, Apple justification would be this one for sure but that left me puzzled for long time. In between I assume you know that iPhone 3G didn;t support GPS coordinates with the photos (at least not documented anywhere)

I must disagree whit your opinion that this is not a security issue. If you want privacy then you need some sort of security to protect it. And you must agree that supplying your current location to anyone is a security risk, not just from the IT perspective.
–
KilledKennyApr 26 '11 at 21:30

giving it a second thought, it is an information disclosure. I will update my answer.
–
Phoenician-EagleApr 26 '11 at 21:38

iPhone hacking is common both by users (also known as jailbreak) and hacker. I'm do no know i what version this feature was implemented because there are exploits that can take over your phone just by using safari. A lot of jailbroken phones have ssh enabled whit a default root password. Most of thees users don't know what ssh even is.

So say that someone compromise your iPhone and get this file. What dose the attacker really have? Well they know where you have been and when (i think the logger logs time to but don't quote me on it...). This mean that they know your daily routine. And since they can figure out where you live by looking at where the phone is during the night and they know when you work so ther's a big opportunity of a brake in.

Another use is to use social engineering. Say that you have hacked a CEO phone and you want to extract data from him but you don't what him to be in the office to avoid him be at the office. Well you have his current location wait until he leaves and the call.

This can also be done on a unknown target, call and say that you are there carrier and that there's a problem whit there billing. And when they ask for proof you can give the there home address and if you have access to the phone give them there current location as prof.

Now how do one protect them self form this. It's the hard part. My suggestions are as follow:

Keep the device up to date

If you jailbreak it make shore that you know what you are doing. turn off ssh and other features.

Turn of Location Services (I do not know if this will work, but if you don't I know it wont.)

If you have a jailbroken the phone look for apps in Cydia that will ether turn the feature of or delete the file.

Android phones.

I saw a Black Hat or Def Con presentation about android hacking and they had written an app that was able to without having requested location or networking premissons was able to phone home whit current location. It read the syslog file and was able to find current coordinates that other apps had logged and send it to a remote server.

An example which was given to me is parallel control of political activists. If you get the localization data from an iPhone, you can automatically know whether the owner was part of a protest or meeting. With localization data from many iPhones, you could even deduce the existence, time and position of meetings that you were not aware of. Whether this is a security issue depends on the viewpoint: some governmental agencies would see it as a solution.

Of course, when an iPhone records which cell towers it senses, the said cell towers also sense the iPhone, and dutifully report that fact to the phone operator, because this is how the iPhone can act as, say, a phone (with a user who can be called). Having to extract the data from a file on the iPhone looks very indirect and inefficient to me; simply asking the data from the operator is much easier. So I have some trouble imagining what new security weakness this file creates.

Typically, getting the geolocation history from a phone carrier requires their cooperation with the police, and often a court order. On the other hand, a stored and (relatively) easily accessible file on the phone may be read with less burden on the police (or Trudy) to justify the need, and without the necessary consent or cooperation of the person holding the data.
–
IsziApr 27 '11 at 2:23

There is a use @nealmcb touched on but is quite an issue - legal investigations. Generally law enforcement requires warrants (it varies by jurisdiction) to seize and analyse a suspect's computers. They usually do not require the same for phones - which can usually be confiscated when bringing the suspect into custody, and the file is easily accessible to anyone.

So it becomes very easy for law enforcement to know where the suspect was at 10pm last Tuesday (I know, really they know where the phone was last Tuesday, but still...)

A good point, which I've also raised in comment to @ThomasPornin. There are apps available to counter this tracking mechanism, but they only run on phones which are jailbroken - a vulnerability in itself, depending on whom you ask.
–
IsziApr 27 '11 at 3:11

1

Actually evil doers should plain forge the file "See! I was at home!" rather than delete it...
–
Bruno RohéeApr 27 '11 at 15:12

@Bruno, thats a very interesting point... Is it possible that this could be used as some form of "alibi", under certain conditions...?
–
AviD♦Apr 30 '11 at 22:06

I think it would need a very tech-unsavy court for this file to be retained as valid evidence, one way or the other. Not that such a court is very hard to find sadly. Even if the file could be authenticated it could only prove where the phone has been, not its owner in any case.
–
Bruno RohéeMay 2 '11 at 9:33

To test whether I was being paranoid, I ran a little experiment. On a sunny Saturday, I spotted a woman in Golden Gate Park taking a photo with a 3G iPhone. Because iPhones embed geodata into photos that users upload to Flickr or Picasa, iPhone shots can be automatically placed on a map. At home I searched the Flickr map, and score—a shot from today. I clicked through to the user's photostream and determined it was the woman I had seen earlier. After adjusting the settings so that only her shots appeared on the map, I saw a cluster of images in one location. Clicking on them revealed photos of an apartment interior—a bedroom, a kitchen, a filthy living room. Now I know where she lives.

Heh, thats the trouble with hearsay - it always sounds believable, the FUD in this situation case in point. Though from social experiments, it's pretty easy to get completely non-believable rumours started too...
–
AviD♦Apr 27 '11 at 9:50

Well the file got to exist for the instant geolocation we love to work, and not much if anything is gained purging old data which makes the half implemented feature sound pretty believable. Everyone seems in agreement that the file wasn't sent to anyone. I doubt the official truth coming from Apple will be any different, it seems they didn't officially answer to that yet.
–
Bruno RohéeApr 27 '11 at 10:20

Dominic White goes through a very detailed blog post entitled Blocking iPhone Tracking (consolidated.db) Solved. This is the best blog post yet on the subject matter, and provides some very simple and walkthrough-esque solutions for both jailbroken and stock phones.